Features of Netcat

Jeffrey Kurcz School of Computer Science University of Windsor [email protected]

and sometimes the in which it Abstract is running on.

This paper discusses the many uses that Netcat Once the Hacker or Penetration Tester has this information they can vulnerabilities or use a can perform for many different tasks that need to well known exploit to gain access to the system be done on a network. Netcat is network tool that they want. Whether they exploit a vulnerable allows a user or administrator or read data over the network. This can be done by using both FTP server or a vulnerable Web server doesn’t the Transmission Control Protocol (TCP) and matter as long as they can get access to the (UDP) protocols. This machine. From there the hacker will use that backdoor to gain access whenever they want, or tool was rated #4 on sectools.org top 100 upload a Trojan or create another backdoor of Network Security Tools by insecure.org. You will their own for their own access so that another see why it is considered the Swiss-Army Knife of TCP/IP because of its high recognition and hacker cannot gain access from the same usefulness of the abilities it can perform. vulnerable program that they just used.

Netcat allows the use for all of these, from port Keywords scanning, to banner grabbing to creating a Netcat, Local Area Network (LAN), Wide Area backdoor on a host machine for allowing shell Network (WAN), Remote Access, Port Scanning, access to the hacker to take over the computer. Banner Grabbing, Server-Client Networking This is probably why Netcat is noted as such a useful tool to many hackers, and a useful tool for network administrators troubleshooting or I. Introduction debugging their networks. As newer programs, applications, and systems are released for the world, they are becoming larger in size, scale and complexity. This issue II. History creates potential for many small bugs and Netcat is a simple utility with its last glitches in programs because they are so large stable build in 1996 by the creator named Hobbit. that a developer may miss key issues, or for There has been many other successors to Netcat testing purposes create a bug to be used then late such as Socat, Cyrptcat and ncat. The name for get to take it out when publishing. Since so Netcat comes from the UNIX tool which many vulnerabilities are appearing there are reads and writes files from an operating system, many tools to help a hacker or penetration tester where Netcat reads and writes data on a network assess and validate the security of a vulnerable or communication using the TCP or UDP protocols. invulnerable system.

The purpose of Netcat is for network Netcat is one of these tools. It offers such a administrators to troubleshoot or debug issues diverse scale of features that it is capable of pertaining to their network either locally or taking hold of a system from the beginning, remotely, while it also has those uses Black hats starting with scanning and looking for open ports can use it for mischievous tasks. Netcat can be that services may be running on a system. With run as a simple standalone line the next step of banner grabbing which is program or as backend for another program or connecting to this system on an open port and script. getting a response from the server on which services are running along with which version III. Features for the ports you can list an individual port, a range of ports such as 80-90, or multiple different ports such as 22, 80. 3.0 Netcat Syntax In the example below we scan socr.uwindsor.ca Here is the general syntax for Netcat: to see if ports 22 (SSH) and 80 (Web Server) are open. nc [options] hostname port[s]

To Netcat run as a server you must include the following two flag options:

-l: this option sets Netcat to listen for incoming connections. -p: this option sets the port to listen on.

Other flag options for client or server are:

-h: help mode As you can see it returns the hostname, IP -d: run in background mode address of the hostname, the ports scanned as -e: inbound program to execute well as the protocol their typically used for as -z: zero-I/O mode [used for scanning ports] well as the status of the port, being open or -n: numeric IP address only closed. -u: run as UDP -r: randomize local ports 3.2 Banner Grabbing -w: timeouts for connects Banner Grabbing is a technique used in order to -v: verbose mode determine which services are running on a specified port by requesting a connection to the 3.1 Port Scanning server and the server returns basic information to let an application know which protocol to use to Port Scanning is a technique which is used to make a connection. scan a system to determine which ports a system has opened and closed. For the first 1024 ports To do a simple banner grab simply try to connect there are standard programs that typically run on to the server running the open port and send known ports. Such as port 80 is for Web servers, some information. For example to connect to a 21 for Transfer Servers, 22 for secure shells, web server and see what is running you can 110 for POP e-mail servers and the list continues. nc socr.uwindsor.ca 80 There are much better tools for port scanning such as which is a “network mapper” and Then once connected type: will identify all hosts running on a network within a specified IP range as well as many of / HTTP/1.1 the services running on the hosts and other information about the Operating System and the This will generate a simple request to a web versions of software running. Although Netcat server and return the web service running, the allows for very similar and basic activity once version of that service as well as any patches or you understand how to use Netcat it is just as add-ons. It will also return the host operating powerful as other tools. system it is running.

To run a port scan using Netcat you can use the following command: nc –v –z hostname ports

For the host you can use an ip address or a dns name, and netcat will perform a dns lookup. Also

The following example shows the information displayed when trying to connect to a secure shell running on the same host.

3.4 File Transfer

Since Netcat allows data to be transferred back and forth on the same connection, it doesn’t matter if it is plain text data or a file. They will

both work the same way. The only difference is Many other port scanning and vulnerability how you start the server and data. You can use assessment tools also do a banner grab when the Input and Output flags on either the client or doing a scan and inform you which services are the server. Generally if you want to transfer a file running and which may have open vulnerabilities from the client to the server you will use input on that can be exploited. the client and select the filename to be transferred. While on the server if you know

there’s a file being sent you will choose the 3.3 Basic Chat Interface output to be of the same filename or file type as

Netcat also has the ability to run as either the the client is sending. client or as the server, allowing it to play both roles. If a user wanted to they could run Netcat The following image depicts a client sending as a server on one machine and connect the client somefile.txt as the input to the server in this case to it using the port that the server is running on. just using the default output method. The server Once the client is connected to the server it can will display what the client has sent. If the server then communicate by using its own specific had run with the option > someotherfile.txt the protocols if applied to an application. In our case content of the file being sent from the server we will just use it as a simple chat program. would be saved into that file as the output method. To run Netcat as a server type: nc –L –p port

To run Netcat as a client and connect, type: nc hostname port

The example below shows a server and client both running on the loopback interface of the same machine. Although this works the same way if the client and server are connecting remotely. In the image below the Server and Client are labeled, but the option flag –l or –L stand for listen, which will listen for connections, making it the server. 3.5 Creating a Backdoor

Backdoors are extremely useful to allow for system you are not given output like in a remote access to a system because it opens up windows environment. By typing UNIX the ability to take control of the host you are commands we get a response and that is how we connected to. Once a hacker connects to a know we are successfully connected and it is a backdoor it is important for them to create a new UNIX system. backdoor in which only they can connect to so that if another hacker tries to gain access they can’t take over the first hacker that connected. Usually a hacker will plant a Trojan and another method to allow unlimited access whenever they want as well as the use of a password so only they know it.

Netcat has the ability to run an external program upon creating a connection. This is incredible useful if one wants to load the Windows As you can see by typing ‘’ it returns your Command line as an external connection, or a current working directory, in this case it is Bash Shell to a UNIX environment, this will /var/mobile. Now when we type ‘ –a’ it allow total control of the machine. To do this, on will print our kernel information: the server type: Darwin Jeffs-iPhone 10.0.0d3 Darwin Kernel nc –L –p 4444 –e cmd.exe Version 10.0.0d3: Wed May 13 22:16:49 PDT 2009; root:xnu- The –e flag is what will run the external program 1357.2.89~4/RELEASE_ARM_S5L8920X upon connecting to the server. For the client, just iPhone2,1 arm N88AP Darwin connect to the server with the port as normal and you will be given the windows prompt. The IV. Experiment following image is what you would see In the experiment we will look into some connecting to a windows shell backdoor. of the features that have been explained

previously and compare them to other tools that offer the same functionality. As well as try these tools on different platforms.

I will compare port scanning against nmap which is designed for specifically scanning hosts on a network. I will speed of each program for port scanning as well as information retrieved by both. I will demonstrate the use of these programs from the installation to the advanced techniques available.

Some of the different test environments I have

access to locally attempt these tests on are: You can see after connecting to the server, you are prompted with a windows command line Laptop: interface. Now you can perform windows AMD Turion 64 x2 2.00 GHz, 3.00 GB RAM commands and have expected output much like Windows 7 Professional in the image above. Note, this client is connected to the same machine as the server, but it works Desktop: similar if they are remote connections. AMD Sempron 1.60 GHz, 960 MB RAM Windows XP Professional, SP2 Take a look the next image, where the Netcat server is now running on a UNIX environment iPhone: on my phone, which is not a local connection, ARM Cortex A8 600 MHz, 256 MB RAM but now remote. When you connect to a UNIX iPhone OS

I will explore more in-depth features of Netcat as well as try and find many more uses to the . References already mentioned features. [1] Brian Baskin, Netcat Power Tools, Syngress Publishing Inc, Burlington, MA, 2008. V. Conclusion In Conclusion you can see how useful Netcat is [2] Netcat: the TCP/IP swiss army: http://nc110.sourceforge.net an many of its different unique features making it extremely powerful. It is listed as one of the [3] Netcat. From Wikipedia: best tools to use for Network Troubleshooting or http://en.wikipedia.org/wiki/Netcat debugging, but can also be used for a hacker to [4] Ncat Users’ Guide: http://nmap.org/ncat/guide/index.html compromise a system from start to finish with just this tool alone. Any Network or Security [5] Mati Aharoni, Netcat Security: Administrator should include this tool in their http://www.webpronews.com/topnews/2003/10/20/netcat- toolbox. In our experiment we will compare the security benefit of using this tool compared to other tools [6] Nmap - Free Security Scanner For Network Exploration out there that are similar. & Security Audits: http://nmap.org/

[7] Nmap. From Wikipedia: http://en.wikipedia.org/wiki/Nmap

[8] NetCat Tutorial: http://www.securitydocs.com/library/3376